A Blog about malware and file formats

All articles for category: tutorial
Writing a Qakbot 5.0 config extractor with Malcat

Writing a Qakbot 5.0 config extractor with Malcat

Fri 16 February 2024
Starting from a (backdoored) MSI installer, we will unroll the infection to chain to get the final Qakbot sample. Sticking to pure static analysis, we will then decrypt Qakbot's configuration and finally write a script in Malcat to automate the process.
Read more →
Shrinking a PYC file to its minimum

Shrinking a PYC file to its minimum

Sun 07 January 2024
In this tutorial, we will see how to use Malcat editing capabilities to reduce the size of a python bytecode file (.pyc) to its minimum. This article is the write-up for our Binary Golf Grand Prix 4 entry.
Read more →
Statically unpacking a simple .NET dropper

Statically unpacking a simple .NET dropper

Mon 16 August 2021
Our target is a 2-layers .NET dropper using multiple cipher passes (XOR, AES ECB and AES CBC + PBKDF2) to finally drop a Loki sample. Without even starting a debugger, we will show how to unpack it 100% statically using Malcat's builtin transformations and the python scripting engine.
Read more →